In this article, I cover what EMV is, why we should care, when it should be implemented by merchants and whether merchants still need to meet the PCI DSS requirements.
What Is Emv?
I was once told credit card security was a "cat and mouse game," and I couldn’t agree more. EMV is like a really big cat, and credit card thieves are the pesky mouse.
EMV stands for Europay/MasterCard/Visa. EMV credit cards were designed and introduced to reduce fraud occurring in magnetic-stripe face-to-face environments, by using chips embedded into credit cards that use secret cryptographic keys to generate authentication and authorization data. EMV was first formed in 1993 in Europe and has been implemented in many countries, excluding the United States.
Why Should Merchants Care?
Merchants should care about EMV because it is already being implemented in the United States and will be a requirement starting October 2015.
Historically, merchants who needed a way to process credit cards would simply purchase Point-of-Sale (POS) terminals from their bank. These days, bad guys have caught on to this antiquated technology and exploited it at the expense of cardholders and merchants. Innovation has spurred new secure ways of processing cardholder data to protect cardholders and merchants from the pain and suffering of dealing with credit card fraud.
Full implementations of EMV specifications can mitigate the risk of compromised card data being used to commit face-to-face fraud. EMV implementations utilize different card verification values maintained on the chip from those maintained in the magnetic-stripe image data. In addition, when implemented in conjunction with PIN for cardholder data verification, EMV limits the impact of the lost/stolen/never-received categories of fraud. Evidence has clearly shown that in those countries where EMV has been deployed, there has been a measurable and significant reduction in face-to-face fraud. [1]
EMV has real numbers behind its effectiveness--in Canada, for example, fraud fell from $142 million in 2009 to $38.5 million just three years later. [2]
When Do We Need To Implement?
EMV will be a requirement come October 2015. Visa has set dates for a shift in fraud liability and if a merchant has not implemented EMV and fraud is committed at their business then they will be liable for covering the fraudulent charges, penalties and fees that come with breaches.
Do I Still Have To Be PCI Compliant?
Environments fully configured to take EMV can substantially reduce fraud in face-to-face environments but an EMV environment does not automatically fulfill PCI-DSS requirements nor does it protect the confidentiality of cardholders and sensitive authentication data. Add to this the capability of merchants to process both EMV and non-EMV transactions, and it becomes obvious that protecting the confidentiality of cardholders and sensitive authentication data is essential. [1]
By design, PCI-DSS does not distinguish between underlying transaction security mechanisms, but instead seeks to protect the Primary Account Numbers (PAN) and other sensitive authentication data as a goal without examining the underlying fraud risk should this data be compromised. In the future, should EMV become the sole means of payment in a given face-to-face channel, coupled with a globally adopted robust authentication process for card-not-present (CNP) transactions, the need to keep the PAN and other sensitive authentication data confidential would be significantly reduced. As a consequence, the PCI-DSS would be updated to bring it in line with the threat landscape that would then exist, and its applicability in relation to EMV reduced accordingly. Until such time, EMV and PCI-DSS together create a powerful two-pronged approach to the objectives of reducing fraud and increasing security.
Therefore, in securing the current face-to-face acceptance environment one should not consider it to be a case of either EMV or PCI-DSS, but rather EMV and PCI-DSS. Both are essential elements in the fight against fraud and data exposure. Together they provide the greatest level of security for cardholder data throughout the entire transaction process.
Conclusion
EMV is a proven credit card security technology already adopted by many countries around the world and is being adopted by the United States. Liability for merchants and consumers start in October 2015 and merchants should have their credit card environment ready to take EMV transactions by then or risk being held liable for credit card breaches. Implementing EMV is a smart and logical step for the United States that can greatly reduce fraud in a short amount of time. EMV and PCI-DSS are both to be implemented as one does not trump the other when it comes to protecting cardholder data. Meeting both requirements puts the merchant on the path to less stress because it will less likely have to deal with credit card fraud cases. Credit card security is a ‘cat and mouse’ game and EMV is a large step for merchants having a big healthy lion.
Daniel Ruiz is IT support liaison for Point-of-Rental Systems.
Footnotes:
[1] https://www.pcisecuritystandards.org/documents/pci_dss_emv.pdf
[2] http://insights.wired.com/profiles/blogs/fact-or-fiction-emv-in-the-united-states#axzz2hjr1oZ9Y
[3] http://www.tsys.com/acquiring/engage/white-papers/United-States-EMV-Adoption.cfm
[4] http://www.firstdata.com/downloads/thought-leadership/EMV_US.pdf
[5] http://usa.visa.com/download/merchants/bulletin-us-participation-liability-shift-080911.pdf